Development of a Process Assessment Model for Assessing Security of IT Networks Incorporating Medical Devices against ISO/IEC 15026-4

Anita Finnegan, Fergal Mc Caffery, Gerry Coleman

Abstract

Advancements in medical device design over the last number of years have allowed medical device manufacturers to add more complex functionality particularly through the use of software. Such advancements include the ability for devices to communicate wirelessly across networks, from device to device and over the Internet. However, with such advancements comes additional risks; these are security risks, vulnerabilities and threats. In the past twelve months, concern within the medical device community has led to the US Government calling upon the FDA to take responsibility of medical device security. In support of this, this position paper details a research proposal to address medical device security issues through the development of a Process Reference Model (PRM) and a Process Assessment Model (PAM) to assess the capability of the processes used to develop medical devices intended to be incorporated onto healthcare networks and also determine the product security capability through the development of security assurance cases created following the lifecycle process. Further, in support of IEC 80001-2-2, the output from this PRM will be an assurance case with a security assurance level, which will be used to communicate the security capabilities of the product between Medical Device Manufacturers (MDMs) and Healthcare Delivery Organisations (HDOs). The intent is to build a better awareness of vulnerability types, threats and related risks to assist in reducing the likelihood of harm resulting from a security risk.

References

  1. DHS 2012. Attack Surface: Healthcare and Public Heath Sector.
  2. Fergal McCaffery & Dorling, A. 2010. Medi SPICE Development. Software Process Maintenance and Evolution: Improvement and Practical Journal. 255- 268.
  3. Goodenough, J., Lipson, H. & Weinstock, C. 2012. Arguing Security - Creating Security Assurance Cases.
  4. Government Accountability Office 2012. Medical Devices, FDA Should Expland Its Consideration of Information Security for Certain Types of Devices. In: GAO (ed.).
  5. IEC 2010. IEC/TR 24774 Systems and software engineering. Life cycle management. Guidelines for process description.
  6. IEC 2011a. IEC 62443-3-3 Ed. 1.0, Security for industrial automation and control systems - Network and system security.
  7. Part 3-3: System security requirements and security assurance levels Introductory Note. International Electrotechnical Committee.
  8. IEC 2011b. IEC/TR 80001-1 - Application of risk management for IT-networks incorporating medical devices.
  9. IEC 2011c. IEC/TR 80001-2-2 Ed. 1.0 - Draft Technical Report - Application of risk management for ITnetworks incorporating medical devices. Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls. International Electrotechnical Committee.
  10. IEEE 2011. ISO/IEC 15026-2: 2011 Systems & Software Engineering, Systems & Software Assurance, Part 2: Assurance Case.
  11. ISO 2008. EN ISO 27799:2008 Health informatics. Information security management in health using ISO/IEC 27002.
  12. ISO/IEC 2003. ISO/IEC 15504-2: 2003 Software Engineering - Process Assessment - Performing an Assessment.
  13. ISO/IEC 2005. ISO/IEC 27002:2005 Information Technology - Security Techniques - Code of Practice for Information Security Management.
  14. ISO/IEC 2006. ISO/IEC 15504-5: 2006 Information technology - Process Assessment - Part 5: An exemplar Process Assessment Model.
  15. NIST 2009. 800-53 Recommended Security Controls for Federal Information Systems and Organisations. In: COMMERCE, U. S. D. O. (ed.) Revision 3 ed.
  16. SEI 2010. CMMI-DEV, CMMI for Development.
Download


Paper Citation


in Harvard Style

Finnegan A., Mc Caffery F. and Coleman G. (2013). Development of a Process Assessment Model for Assessing Security of IT Networks Incorporating Medical Devices against ISO/IEC 15026-4 . In Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013) ISBN 978-989-8565-37-2, pages 250-255. DOI: 10.5220/0004327502500255


in Bibtex Style

@conference{healthinf13,
author={Anita Finnegan and Fergal Mc Caffery and Gerry Coleman},
title={Development of a Process Assessment Model for Assessing Security of IT Networks Incorporating Medical Devices against ISO/IEC 15026-4},
booktitle={Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013)},
year={2013},
pages={250-255},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004327502500255},
isbn={978-989-8565-37-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013)
TI - Development of a Process Assessment Model for Assessing Security of IT Networks Incorporating Medical Devices against ISO/IEC 15026-4
SN - 978-989-8565-37-2
AU - Finnegan A.
AU - Mc Caffery F.
AU - Coleman G.
PY - 2013
SP - 250
EP - 255
DO - 10.5220/0004327502500255